Analysis Overview
SHA256
9b3643ecbf7402006d8cf776811ae5190d1a70a8bd3ac491c7c20a8d97691efb
Threat Level: Known bad
The file 161db86eb5f9237449a1027c1f63f310N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Executes dropped EXE
Deletes itself
Checks computer location settings
Loads dropped DLL
UPX packed file
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-30 21:43
Signatures
Urelas family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-30 21:43
Reported
2024-07-30 21:45
Platform
win7-20240704-en
Max time kernel
89s
Max time network
87s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe
"C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| KR | 112.175.88.207:11150 | tcp |
Files
memory/2248-0-0x0000000000400000-0x0000000000431000-memory.dmp
\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | c823d0ea71e50abd7b92247b560a6a8f |
| SHA1 | e64be127faed759c8802fed04a6421271512fc42 |
| SHA256 | 72d9404e525ce99d0b60e0f08a01b074bdf9d2b3cfbea09583be4f8c454fedaa |
| SHA512 | a3a96bab9126a3659e37a382c4dd65aa43f62ff5973c60de6386b8718b35f25cfb9dbf1d649e5efd33c051976ded9a8f63f1d96fd5c9a4d04cec19ae4aeb749a |
memory/2880-10-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2248-9-0x0000000002BD0000-0x0000000002C01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 5334015acd267d9ce6e95138f9ed96b2 |
| SHA1 | 5f0c2ba5938255d9fe446a438a61f37c361fa48d |
| SHA256 | e4d78041ef89777362e4ee0c9a0350529f3e3b497052f718c02258f486f6ecd9 |
| SHA512 | 3318c6ebb272b190d9745196da2fd29baf79fab2af3518cc7c980667d1197bade7ca0561330d3bd8dafd8bafe4895c1e878d97d8abadf9fefbc2c1267a6b74a8 |
memory/2248-19-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a01dba4c45102fc15292fd5591166536 |
| SHA1 | d96191c30e0f09439d8547f4ededbf6726ccd54b |
| SHA256 | cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904 |
| SHA512 | 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32 |
memory/2880-22-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2880-24-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2880-31-0x0000000000400000-0x0000000000431000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-30 21:43
Reported
2024-07-30 21:45
Platform
win10v2004-20240730-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\huter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3632 wrote to memory of 772 | N/A | C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 3632 wrote to memory of 772 | N/A | C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 3632 wrote to memory of 772 | N/A | C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe | C:\Users\Admin\AppData\Local\Temp\huter.exe |
| PID 3632 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3632 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3632 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe
"C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe"
C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| KR | 112.175.88.209:11120 | tcp | |
| KR | 112.175.88.208:11150 | tcp | |
| KR | 112.175.88.209:11170 | tcp | |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| KR | 112.175.88.207:11150 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/3632-0-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\huter.exe
| MD5 | c0d0014cbb2dab1f19018c9a684932cd |
| SHA1 | 070a9bf13ffe41026a2e02b91c27535ffe09085f |
| SHA256 | 6ad7cd2f528bc3f711d5b95ce5738b1af8263e7c24c0c630a5007da8f2430519 |
| SHA512 | e5375192b24f647dbc195299b274aed2ad3efe49696dc315309b7331ab49f0c3ebb2c809d4848ecb6dee80322e52ef21e4fd20000471531e96a38631d35a7290 |
memory/772-14-0x0000000000400000-0x0000000000431000-memory.dmp
memory/3632-18-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
| MD5 | 5334015acd267d9ce6e95138f9ed96b2 |
| SHA1 | 5f0c2ba5938255d9fe446a438a61f37c361fa48d |
| SHA256 | e4d78041ef89777362e4ee0c9a0350529f3e3b497052f718c02258f486f6ecd9 |
| SHA512 | 3318c6ebb272b190d9745196da2fd29baf79fab2af3518cc7c980667d1197bade7ca0561330d3bd8dafd8bafe4895c1e878d97d8abadf9fefbc2c1267a6b74a8 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a01dba4c45102fc15292fd5591166536 |
| SHA1 | d96191c30e0f09439d8547f4ededbf6726ccd54b |
| SHA256 | cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904 |
| SHA512 | 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32 |
memory/772-21-0x0000000000400000-0x0000000000431000-memory.dmp
memory/772-23-0x0000000000400000-0x0000000000431000-memory.dmp
memory/772-29-0x0000000000400000-0x0000000000431000-memory.dmp